May 13, 2008
OpenSSL Ouch
I won't repeat it here, but there's DSA-1571-1 waiting for your attention,
especially if you made some material out of openssl over the last couple of
years or so. Yes, you read it right: COUPLE.
Upgrading to the new OpenSSL is easy. Generating new keys is another story.
To save (or add to, depending on how you handle this) your pain, there is a simple checker that can currently see if your OpenSSH or OpenVPN public keys are weak enough to warrant replacement. I await a version that can handle X.509 certificates too (though I only just generated a new one today, before the announcement, so that means I have to do it again (and get its CSR to CACert for signing, etc.)
And yeah, if you're running openssh-server, consider regenerating your host RSA and DSA keys, e.g.:
# mv /etc/ssh/ssh_host_{dsa,rsa}_key* /some/place/else
# dpkg-reconfigure -plow openssh-server
That should regenerate your keys and restart openssh-server once the new keys
are installed to /etc/ssh.
The hard part (of making sure all the keys of your systems are updated and tested) is still up to you, however.
UPDATE: The Debian wiki has up-to-date information regarding other packages that generate SSH/SSL keys at postinst. Please refer to that while the key-rollover page isn't up yet.
UPDATE 2: openssh-server is updated (with corresponding
DSA-1576-1) that is linked to the updated OpenSSL library. Be sure to
upgrade! The new package also pulls in openssh-blacklist, a new package
that contains the database needed by the new ssh-vulnkey for checking SSH
public keys.
Tags: debian, linux, openssh, openssl, perl, remote, vulnerability. | Posted at: 16:32 | 13 Comments/Trackbacks.